From e8bf322846a910f6c02a3a435795d83f305430c0 Mon Sep 17 00:00:00 2001 From: Neil Matatall Date: Fri, 11 Nov 2016 06:34:32 -1000 Subject: [PATCH] quick and dirty strict-dynamic support' --- lib/secure_headers/headers/policy_management.rb | 1 + .../secure_headers/headers/content_security_policy_spec.rb | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/lib/secure_headers/headers/policy_management.rb b/lib/secure_headers/headers/policy_management.rb index 408c86ac..20d45753 100644 --- a/lib/secure_headers/headers/policy_management.rb +++ b/lib/secure_headers/headers/policy_management.rb @@ -14,6 +14,7 @@ def self.included(base) STAR = "*".freeze UNSAFE_INLINE = "'unsafe-inline'".freeze UNSAFE_EVAL = "'unsafe-eval'".freeze + STRICT_DYNAMIC = "'strict-dynamic'".freeze # leftover deprecated values that will be in common use upon upgrading. DEPRECATED_SOURCE_VALUES = [SELF, NONE, UNSAFE_EVAL, UNSAFE_INLINE, "inline", "eval"].map { |value| value.delete("'") }.freeze diff --git a/spec/lib/secure_headers/headers/content_security_policy_spec.rb b/spec/lib/secure_headers/headers/content_security_policy_spec.rb index 01edc3ac..8e43601f 100644 --- a/spec/lib/secure_headers/headers/content_security_policy_spec.rb +++ b/spec/lib/secure_headers/headers/content_security_policy_spec.rb @@ -107,6 +107,11 @@ module SecureHeaders expect(firefox_transitional).not_to match(/frame-src/) end + it "supports strict-dynamic" do + csp = ContentSecurityPolicy.new({default_src: %w('self'), script_src: [ContentSecurityPolicy::STRICT_DYNAMIC], script_nonce: 123456}, USER_AGENTS[:chrome]) + expect(csp.value).to eq("default-src 'self'; script-src 'strict-dynamic' 'nonce-123456'") + end + context "browser sniffing" do let (:complex_opts) do (ContentSecurityPolicy::ALL_DIRECTIVES - [:frame_src]).each_with_object({}) do |directive, hash|